A week of attack Stats

There’s a causal relationship between social isolation and cyber attacks. When the bad guys are bored at home they tend to fill their time with cyber attacks. There is a marked increase in the incidence of attacks around Christmas time and we expected a similar increase during this pandemic.

We are gathering these statistics using honeypots for adbhoney, ciscoasa, conpot, cowrie, dionaea, elasticpot, heralding, honeytrap, mailoney, medpot, rdpy, snare & tanner.

Honeypots

Dionaea attracts 64% of attacks in large part due to its offer of many common protocols including blackhole, epmap, FTP, HTTP, Memcached, mirror, MQTT, MSSQL, MySQL, PPTP, SIP, SMB, TFTP, and UPnP. Heralding also offers many protocols as you can tell from it’s 18% market share in our one week stats test.

Percentage of attacks by country

While you wouldn’t think certain countries would focus on specific protocols, the stats definitely reveal some patterns:

  • Vietnam and Indonesia’s attack patterns are similar, they primarily target database servers with a secondary focus on Microsoft file servers.

  • Russia also focuses on SQL servers but they don’t discriminate so there’s a good mix of just about everything within their scope.

  • Moldova’s main target is VNC.

  • India primarily attacks file servers.

Is there a the connection between originating country and target? It’s hard to say, one week is a very small window for trends and no doubt these patterns will shift next week. But if I was to hazard a guess I’d say the target has more to do with the attacker’s background than their country of origin. I expect the majority of attackers targeting databases are unemployed database administrators.

Attacker Source IP Reputation

It is not surprising that all the attackers have a bad reputation or are known attackers: the only people connecting to honeypots are attackers. What is interesting is that blocking known attackers only stops 59% of attacks but will likely result in a bunch of false positives.

Here are the top ten worst offenders and how many times they attacked us. The numbers may be large but each time they attacked us, they weren’t attacking anyone else.

  1. 78.128.112.26 - 76,331

  2. 185.202.2.114 - 72,368

  3. 185.153.197.251 - 46,130

  4. 185.153.199.50 - 45,324

  5. 118.70.181.128 - 42,948

  6. 117.6.97.90 - 34,224

  7. 185.242.86.47 - 33,157

  8. 185.242.86.46 - 33,151

  9. 66.222.60.149 - 32,933

  10. 203.81.76.246 - 31,322

SecurityLARG*netinfosec, netsec, paola, tristanComment